This post was recovered from archive.org. It was origionally posted on Friday, September 3, 2004.
First off if you’re wondering what an alternate data stream (ADS) is, it’s a file stream that is stored in your file system (NTFS in this case) inside (or attached) to a normal file. I don’t claim to be an expert on the topic but this is what I do know (or I think I know). You can use them to “hide” files inside other files (so to speak). Some people may thing this is a bug or security hole but it actually has a purpose. From my understanding it was originally used for compatibility between NTFS and the Mac OS file system (I can’t remember the exact name of the file system) but this is all second hand information that I haven’t verified.
Now that you have an idea of what ADS’s are (if you didn’t know before) and are probably starting to see some ways you could use them to your advantage I’ll show you how to use them from C# and VB.Net. First off there is no framework support for them (yet… this is based on version 1.1) you’re going to have to use pinvoke to functions in the kernal32.dll. You’ll mainly need CloseHandle, CreateFile, DeleteFile, OpenFile, ReadFile and WriteFile (you’ll also want the OFSTRUCT structure and the constants used by the functions). Once you have those functions imported you’ll be able to make your ADS’s, read and write to them, and delete them. To do this all you have to do is append a filename to another filename separated by a “:” the second filename being the identifier for your ADS (C:\myfile.txt:myads.txt) and pass it in as the lpFileName parameter of the OpenFile and/or the CreateFile functions. You then use the Read and Write to it with the ReadFile and WriteFile functions (as I’m sure you could have guessed). Once you’ve done that you just use the CloseHandle function to close the handle created with the OpenFile or CreateFile functions. And that’s all there is to it. You can now attach any file you want to any other file.
Some things this has been used for is attaching thumbnails to images (this is how windows did it before thumbs.db), attaching file history or just plain hiding files. This is also the method being used by IE in Windows XP SP2 to track what files were downloaded from the net.
There is a tool you can use to see ADS’s on your files called List Alternate Data Streams (LADS) by Frank Heyne. This can be very useful if your working with ADS’s since without it you can’t see them. There are also some good sites out there like this one: http://patriot.net/~carvdawg/docs/dark_side.html that shows you how to create, read, write and delete ADS’s using simple DOS commands.
Well I hope this was useful. I’ve created some very simple sample projects in both C# and VB.Net you can download here if you’re interested. (I'm still trying to dig these up)
If you have any more information on ADS’s that I missed (like more history of them or something) please feel free to add some comments. I for one would like to know about it and I’m sure some other people would too.
Update: I also forgot to mention that ADS's aren't limited to file's you can also attach them to directories like this: c:\windows:myads.txt
Update: Fixed spelling and there was an bug in the C# project in the demo with the browse button (renamed the control and broke my event registration).
